FreeRADIUS and Linux for Your WLAN

Last week we had an bird's-eye of the current state of wireless security protocols, and a quick peek at using a RADIUS server for authentication, authorization, and accounting. Today we shall configure FreeRADIUS to secure wireless authentication and transmission. A RADIUS server running on Linux can authenticate clients on any platform.

We are going to implement EAP-TLS encryption, because it is widely supported and secure. Be sure you have FreeRADIUS and OpenSSL installed. Then create your SSL certificates, copy them to the server and clients, set up client access on the RADIUS server, and poof! all done.

Ok, so I wouldn't call it easy. But it's not too bad. The neat thing about this is the server and clients authenticate to each other with the SSL certificates, so you don't need to hassle with logins and passwords.

Generating Server Certificates
First we will create a CA, or certificate authority. The CA authenticates your public user and server certificates, and also revokes them -- which you'll need to do as staffers come and go. (See Resources for a list of excellent books on the subject. Don't leave home without them.)

First, edit openssl.cnf, which should be in /etc/ssl/openssl.cnf, but given the herd-of-cats nature of Linux I make no promises, and edit it to include your own information. The file is big, but all you need is to find these lines and customize them:

Now find the certificate-creating script, hopefully /usr/lib/ssl/misc/CA.sh. At any rate find CA.sh. Edit this line to tell CA.sh where to put your new certificates, giving it any name you like:

CATOP=./masterCA

Then change to the directory where you want to store your certificates. /etc/ssl is the usual choice, and run CA.sh. You'll be asked to create a passphrase- make it gnarly, and write it down and lock it away.

Making CA certificate ...
Generating a 1024 bit RSA private key
......................++++++
..............................................................................++++++
writing new private key to './masterCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
US [US]:
Oregon [OR]:
Portland []:
Carlas Cookies [Carlas Cookies]:
Doughboys [Doughboys]:
Carla AceAdmin []:
carla@yummycookies.com []:

This creates the /etc/ssl/masterCA/ directory, and populates it with all manner of files and directories, including your new server CA, private/cakey.pem.

We'll use the /usr/bin/openssl command to do the rest of the work. /usr/bin/openssl has a lot of useful command-line options, and is better-suited for a job like this where we want to customize the certificate names. CA.sh is nice for simple needs, so consider this your formal introduction.

Next, create the signing request, naming the :

# openssl req -new -nodes -keyout masterkey.pem -out masterreq.pem

Now we'll sign the request:

# openssl ca -out master_cert.pem -infiles ./masterreq.pem

This creates master_cert.pem, our shiny new server certificate which will be copied to the FreeRADIUS server.

Configuring FreeRADIUS
Now it's time to copy keys to your FreeRADIUS server. On Debian, put them in /etc/freeradius/certs/masterkeys/, or some such, as long as they are in their own directory. On other Linuxes, /etc/raddb/certs/masterkeys/. Copy over cacert.pem and master_cert.pem. Make sure permissions and ownership are correct:

You may not have a "freerad" user and group; if your Linux distribution does not create a unique FreeRADIUS user and group, use root:nobody.

FreeRADIUS is a big ole bugger. For our splendid wireless authentication scheme, we need trouble ourselves with but two files in /etc/freeradius/, or /etc/raddb/ as the case may be: clients.conf, and eap.conf.

Configuring NAS
Configuring your NAS (Network Access Servers, for example your wireless access point) to use your FreeRADIUS server depends on which particular device you are using. You should need just the FreeRADIUS server IP and the shared secret.

Configuring the clients depends on what they are; Linux clients need the wpasupplicant package (wpa-supplicant on RPM systems). Import cacert.pem and the client key, and you should be good to go.

Windows XP and 2003 Clients
Windows XP and 2003 clients require some extra steps. For these you need to create PKCS12 format certificates. Go back to almost the beginning, right after you created cacert.pem. Create a file called xpextensions containing these lines: